The log service for Web Application Firewall (WAF) collects and stores web access and attack protection logs from your WAF protected objects, including cloud service instances and domain names. Built on Alibaba Cloud Log Service, it provides log query and analysis, data visualization, alerting, and integration with downstream computing services. This lets you focus on analysis rather than manually querying and organizing log data.
Intended users
- Large enterprises and organizations with compliance requirements for storing host, network, and security logs for their cloud assets, such as financial firms and government agencies.
- Enterprises with their own security operations center that need to centralize the collection and management of security alerts and other logs, such as those in real estate, e-commerce, finance, and government sectors.
- Technically advanced enterprises that require in-depth analysis of cloud asset logs and automated alert handling, such as those in the IT, gaming, and finance industries.
- Users who need to trace security incidents, generate periodic security reports, or meet classified protection requirements.
Use cases
Investigate security threats by tracking web attack logs.
Monitor web request activity to understand status and trends.
Gain insights into your security operations and respond quickly to anomalies.
Send security logs to your own data and computing centers.
Benefits
- Compliance support: Store website access logs for more than six months to help meet classified protection requirements.
Flexible configuration:
Easily configure the collection of web access and attack protection logs.
Customize log fields, storage types, and select the specific WAF protected objects, such as cloud service instances or domain names, for log collection.
Modify or create custom report templates based on your business or security needs to quickly assess the security status of your website.
- Real-time analysis: Powered by Alibaba Cloud Log Service, this feature provides real-time log analysis, an out-of-the-box report center, and interactive data exploration, reducing analysis time from minutes to seconds and giving you immediate visibility into web attacks and access details.
- Real-time alerting: Customize monitoring and alert rules based on specific metrics to ensure a prompt response when exceptions occur in critical services.
- Ecosystem integration: Integrate with other services like real-time computing, cloud storage, and data visualization solutions to further unlock the value of your data.
Billing
Subscription
After you enable the log service, you are charged based on log storage capacity.
Pay-as-you-go
Charges for the WAF log service are metered and billed through Alibaba Cloud Log Service and are not included in your WAF bill. For more information about WAF log service billing, see Pay-by-feature billing.
The log service is disabled by default for a WAF instance. To use this feature, enable the log service for WAF. For more information, see Enable or disable log service.
Features
Feature | Description |
Log Configuration | After you enable the log service for WAF, you can enable log collection for your protected objects, such as cloud service instances and domain names. WAF collects and stores logs only for protected objects that have log collection enabled. You can then query and analyze the log data. For more information about the fields in WAF logs, see Fields in logs. To learn how to enable log collection for a protected object, see Configure log settings and manage log storage capacity. You can change the default log storage settings, including the log fields to store and the log types to store (normal request log, detection log, and block log). For more information, see Configure log settings and manage log storage capacity. |
Log Query | Use query statements to search and analyze the collected log data. For more information, see Log query. You can create alerts based on query statements. After an alert is created, Log Service periodically checks the query and analysis results. If a result meets the predefined conditions, Log Service sends you an alert notification. This enables real-time service monitoring. For more information, see Quickly set up log-based alerting. |
Log storage capacity upgrade | After you enable the log service for Web Application Firewall (WAF), if your log storage capacity is nearly or completely full, promptly upgrade the capacity. This prevents write failures to the Logstore. For more information, see Log storage capacity upgrade. For more information about how to handle full log storage, see What do I do if log storage capacity is exhausted?. |
Storage Period | The log retention period affects your storage costs. A shorter retention period reduces costs. You can set an appropriate retention period based on your business requirements, compliance needs, cost, and performance considerations. |